IT Security News Blast 9-14-2017

Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack

“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.” For its part, Equifax still has not provided any evidence to support the claim. The cited Apache Struts flaw dates back to March, according to a public vulnerability disclosure. Patches were released for the vulnerability, suggesting that Equifax did not install the security updates.

[HITRUST] can be a critical framework for healthcare organizations, especially as it incorporates numerous other frameworks (i.e. ISO, SANS, HIPAA). While it is not required to be HITRUST certified, Rathburn noted that it could be beneficial in helping entities find options best suited to their data security needs. Healthcare organizations must determine reasonable and appropriate security measures for their own needs and characteristics, according to HHS.

HIPAA was established before these cyber threats became such an issue, which can cause some challenges with trying to keep up, said Matt Fisher, partner with Mirick O’Connell, in opening the HIPAA compliance session at the Healthcare Security Forum on Monday. “The best thing an organization can do is try to stay ahead of the issues,” Fisher said. “As soon as you identify issues that could turn into problems, you have to seek help. And don’t try to do it alone.”

Data sharing with third parties is seen as one of the biggest vulnerabilities among healthcare providers and insurers with 63% of respondents mentioning it as a key vulnerability, even more than those concerned about Internet-enabled devices leading to a breach, the survey showed. KPMG surveyed 100 C-Suite security executives at healthcare companies and another 100 at life sciences companies.

With Russia’s seizure of Crimea in 2014 and its intervention in Syria’s war in 2015, NATO is distrustful of the Kremlin’s public message. In Crimea, Moscow proved a master of “hybrid warfare”, with its mix of cyber-attacks, disinformation campaigns, and use of Russian and local forces without insignia. One senior European security official said Zapad would merge manoeuvres across Russia’s four western military districts in a “complex, multi-dimensional aggressive, anti-NATO exercise”.

While many specifics of future high-tech attacks are not expected to be known currently, the emphasis of the training was to prepare for the fast pace of technological change and be ready for adaptations to be made by potential adversaries, such as Russia or China. Participants in the exercise experimented with more than 40 capabilities geared toward responding to attacks from near-peer adversaries, Morrison said. “We want to defend networks and provide the operational edge with an ability to detect new attacks and remediate those attacks in a rapid fashion.”

After all, how difficult is it to turn a driverless car into a driverless car bomb? The almost inevitable growth in the automation of planes, trains, buses, ships, and unmanned aerial vehicles will offer nefarious actors myriad opportunities to tamper with control and navigation systems, potentially affording them the chance to cause a mass casualty event without having anyone present at the scene of the attack. Imagine a worst case scenario in which we experience a 9/11–type attack—but without any actual hijackers.

Director of National Intelligence Dan Coats opened the 8th Annual Billington Cybersecurity Summit with a warning that digital threats to the United States are mounting. “We have not experienced — yet — a catastrophic attack. But I think everyone in this room is aware of the ever-growing threat to our national security,” Coats said, adding that attacks on electrical grids and other utilities are a rising concern.

“The department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” Ms Duke wrote.

The Israeli Securities Authority (ISA) recently announced that it will establish a committee to review potential regulations for initial coin offerings (ICOs) — a new form of raising capital with digital currency, akin to a stock market’s initial public offering (IPO). […] The Alignment incubator strives to assist, develop and fund “unique and high-quality projects” in Israel’s emerging digital currency ecosystem. The incubator is the collaborative creation of Israeli cryptocurrency investment groups BlockchainIL, CoinTree Capital and Singulariteam.

The Connected Black Market: How the Dark Web Has Empowered LatAm Organized Crime

Smartphone proliferation has jumpstarted the regional “crime as a service” economy, an amorphous online marketplace where criminals can purchase ready-made digital tools or services that help them carry out sophisticated criminal activities. De Andrés said crime as a service in Latin America and the Caribbean has expanded fivefold in the last three and a half years, fomenting a symbiotic cyber crime ecosystem where diverse criminal markets come together, with each sector supporting the others.

The exploit broker is interested in high-complexity exploits that do not require user interaction or show any errors or popups. Zerodium said it’s looking for zero-days that require users only to visit a web page. The company is not picky, accepting zero-days that work against Tor Browser instances running with security settings set to “high” (JavaScript disabled) or security settings set to “low” (default Tor Browser configuration).

Mueller investigation focusing on social media’s role in 2016 election: report

Likewise, Twitter is expected to hand over to Congress an analysis of Russian activity on its platform, similar to the one provided by Facebook last week. Social media has become an increasingly vulnerable target for foreign nations to try to influence the elections and policies of other countries, according to Bloomberg. U.S. intelligence agencies, including the FBI and the Office of the Director of National Intelligence, are exploring how to prevent future election meddling.

“The government cannot use the border as a dragnet to search through our private data,” ACLU attorney Esha Bhandari said in a release. “Our electronic devices contain massive amounts of information that can paint a detailed picture of our personal lives, including emails, texts, contact lists, photos, work documents, and medical or financial records. The Fourth Amendment requires that the government get a warrant before it can search the contents of smartphones and laptops at the border.”

It’s found a place in the transportation, surveillance, science, medicine, and education industries. […] There is definitely a possibility of a widespread displacement of humans due to AI, but there is also just as much opportunity for new roles in the AI landscape. Someone has to train the machine, someone has to make sure that the machine evolves, and someone must also address training and evolution if they want to realize the technology’s full benefits.

The bill has been stalled in the legislature’s rules committee for weeks, but advanced on Tuesday, when lawmakers cleared the way for a Friday vote. The measure has drawn vigorous opposition from the major broadband carriers, Association of National Advertisers, Facebook, Google and other industry groups. Opponents argue in a September 12 letter to lawmakers that the bill is “vague,” and also make the extraordinary claim that it will increase the likelihood of cyber threats.

With the Fall Creators Update, Microsoft is switching things around to make Windows behave more like mobile platforms: all access to these sensitive things will now require an explicit per-application opt-in, with an on-screen prompt to allow, for example, access to the camera. On installing the update, existing applications will retain their permissions, but any new apps installed from the Windows Store will require their access to be enabled. As with the Creators Update, Microsoft is making privacy information easier to see during the Windows install process, showing the full privacy statement that outlines what data the operating system collects and when.

With its homonymous open source, encrypted IM offering, Wire’s (and Duric’s) goal is to disrupt the privacy selling market headed by Google and Facebook, and offer secured communication to private users and organizations. […] And, with the imminent advent of EU’s General Data Protection Regulative (GDPR) and the heavy fines that will (finally!) be imposed on those who fail to protect their customers’ information, companies should definitely be eyeing workable solutions for end-to-end encrypted communications.

The service, one of Google’s first attempts at an anti-malware tool, first launched as a feature of the company’s flagship search engine on the desktop back in 2007. Since then, both Safari and Firefox have adopted the service, in addition to many web and app developers (including the likes of Snapchat). The general idea behind Safe Browsing has always remained the same, though: tell users when the site they are browsing is likely deceptive or plays host to malware.

“The absence of authentication on some Elasticsearch servers allowed attackers to take full administrative control on the exposed instance,” wrote Bob Diachenko, Kromtech’s chief communication officer on Tuesday in a blog post outlining the research. Insecure servers, he said, have opened the door for hackers to use them for a wide range of illegal activities such as stealing or destroying hosted data and using servers to hide command-and-control servers for PoS malware strains.

The malware’s second installment tries to trick users of Windows OS with a different technique where a message Your Windows Has Been Banned appears on the computer’s lock screen when the PC is booted, and then the attacker gives victim two options:

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.